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Term  Rewriting:  Some  Experimental  Results 


Richard  C.  Potter 
David  A.  Plaisted 
Department  of  Computer  Science 
University  of  North  Carolina  at  Chapel  Hill 
Chapel  Hill,  North  Carolina  27514 


Abstract  We  discuss  term  rewriting  in  conjunction  with  sprite,  a  Prolog-based  theorem  prover. 
Two  techniques  for  theorem  proving  that  utilize  term  rewriting  are  presented.  We  demonstrate  their  effec¬ 
tiveness  by  exhibiting  the  results  of  our  experiments  in  proving  some  theorems  of  von  Neumann-Bemays- 
Go  del  set  theory.  Some  outstanding  problems  associated  with  term  rewriting  are  also  addressed. 
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1.  Introduction 

^  Term  rewriting  is  one  of  the  more  powerful  techniques  that  can  be  employed  in  mechanical  theorem 
proving.  Term  rewriting  allows  us  to  prove  fairly  sophisticated  theorems  that  are  beyond  the  ability  of 
most  resolution-based  theorem  provers.  Unlike  resolution,  term  rewriting  seems  to  duplicate  a  rule  of 
inference  that  humans  use  in  constructing  proofs.  In  this  paper,  we  will  describe  our  research  and  results  in 
proving  theorems  via  term  rewriting.  The  body  of  theorems  we  prove  are  set  theoretic;  the  axiomatization 
of  set  theory  employed  is  derived  from  the  work  of  von  Neumann,  Bemays,  and  Go  del.  For  a  list  of  these 
axioms,  see  [2].  The  advantage  of  the  von  Neumann-Bemays-  Go  del  formalization  is  that  it  allows  us  to 
express  set  theory  in  first-order  logic.  This  in  turn  implies  that  a  first-order  theorem  prover  can  be  used  to 
derive  set  theoretic  theorems.  On  the  other  hand,  this  formalization  has  a  significant  disadvantage  in  that  it 
is  very  clumsy  for  humans  to  use.  Second  order  logic  is  a  much  cleaner  means  for  expressing  the  axioms 
of  set  theory. 

We  begin  by  introducing  sprfn,  the  Prolog-based  theorem  prover  we  used  in  our  research;  we 
emphasize  the  formal  deduction  system  underlying  the  {Mover.  In  the  second  section  we  describe  the  term 
rewriting  mechanism  built  into  sprfn.  In  the  third  and  fourth  sections  we  describe  two  theorem  proving 
techniques  utilizing  term  rewriting  and  the  results  of  these  approaches  when  employed  in  connection  with 
sprfn.  In  each  of  these  two  sections  we  give  examples  of  sample  theorems  that  we  were  able  to  derive. 
We  conclude  by  summarizing  our  results  and  addressing  some  problems  that  face  term  rewriting  in  general 
as  well  as  some  problems  specific  to  term  rewriting  with  sprfn. 
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2.  SPRFN  and  the  Simplified  Problem  Reduction  Format 

The  theorem  prover  we  used  -  sprfn  --  is  based  on  a  natural  deduction  system  in  first  order  logic 
which  is  described  in  [1],  However,  before  we  present  this  formal  system,  we  would  like  to  motivate  it  by 
describing  the  format  on  which  it  is  based;  namely,  the  problem  reduction  format.  The  formal  deduction 
system  implemented  by  sprfn  is  a  refinement  of  the  problem  reduction  format  Both  of  them  embody  the 
same  goal-subgoal  structure,  as  can  be  seen  from  what  follows.  The  following  description  omits  many 
details.  For  a  complete  discussion  of  the  problem  reduction  format,  see  [5]. 

The  structure  of  the  problem  reduction  format  is  as  follows.  One  begins  with  a  conclusion  G  to  be 
established  and  a  collection  of  assertions  presumed  to  be  true.  Assertions  are  of  the  form 
C:-a  tlA  A„  (implication)  or  P  (premises)  where  Ait  P  and  C  are  literals  or  negations  of  literals. 
The  implication  assertion  is  understood  to  mean  A  2  •  •  •  &Am -*C .  The  A,’s  are  antecedent  statements, 
or  simply  antecedents,  and  C  is  the  consequent  of  the  implication.  We  call  the  conclusion  G  the  top-goal. 
The  process  of  attempting  to  confirm  the  conclusion  begins  with  a  search  of  the  premises  to  see  if  one 
premise  matches  (is  identical  with  or  can  be  made  identical  by  unification  with)  the  goal  G.  If  a  premise 
P,  matches  G  then  the  conclusion  is  confirmed  by  P,.  Otherwise,  the  set  of  implications  whose  conse¬ 
quents  match  G  is  found.  If  the  antecedent  of  one  implication  can  be  confirmed  then  one  has  confirmed  the 
consequent,  and  hence  G,  which  the  consequent  matches.  Otherwise  we  consider  the  antecedents  as  new 
subgoals  to  be  confirmed,  one  implication  at  a  time.  These  goals  are  called  subgoals  because  none  of  them 
is  the  primary  goal.  The  process  of  confirming  these  subgoals  involves  repeating  the  method  just  described 
in  connection  with  the  top-goal. 

The  natural  deduction  system  underlying  sprfn  -  the  modified  problem  reduction  format  --  is  based 


on  the  problem  reduction  format  just  described,  although  refinements  are  added  for  the  sake  of  complete- 1  on  For 
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ness  of  the  deduction  system.  We  do  not  have  room  to  describe  these  refinements.  The  following  descrip¬ 
tion  of  the  modified  problem  reduction  format  omits  many  details.  For  a  complete  discussion,  see[4J. 

A  clause  is  a  disjunction  of  literals.  A  Horn-like  clause,  converted  from  a  clause,  is  of  the  form 
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L  :-LXyL2,...,LK  where  L  and  the  Z,,’s  are  literals.  L  is  called  the  head  literal.  The  Z,,  ’s  constitute  the  tblllty  Codon 

Avail  and/or 
lust  |  Speolal 

-,/» 


clause  body.  A  clause  is  converted  to  a  Hom-like  clause  as  follows.  For  a  given  clause  containing  at  least 
one  positive  literal,  one  of  its  positive  literals  is  chosen  as  the  head  literal  and  all  other  literals  are  put  in  the 
clause  body  negated.  For  an  all-negative  clause,  we  use  false  as  the  head  literal  and  form  the  body  from 
positive  literals  corresponding  to  the  original  literals. 

Now  assume  S  is  a  set  of  Han-like  clauses.  A  set  of  inference  rules,  derived  from  S,  is  obtained  as 
follows.  Fa  each  clause  L  :-LuL2 . L„  in  S,  we  have  the  following  clause  rule: 

Clause  Rules 

r0— >z. i  =>  rt  i.  rt  il2  =>  r2-»z.2, ....  =>  th-*lh 

r g — >L  =>  r„ — yL 

We  also  have  assumption  axioms  and  a  case  analysis  (splitting)  rule.  Let  L  be  a  positive  literal. 
Then  the  assumption  axioms  and  case  analysis  rule  can  be  stated  as  follows: 

Assumption  Axioms 

t-*l  =>  r->L  if  l  er 
r-*L  =>  r\£->L 

Case  Analysis  (splitting)  Rule 

=>  Tj ,  Af  — ♦Z. ,  Tj ,  M  — yZ,  =>  I*i ,  M  — yZ 
r0-»L  =>  r j — >L 

The  goal-subgoal  structure  of  this  deduction  system  is  evident.  The  input  clause  L:-LUL2 . L„ 

merely  states  that  LXJL2,-  •  •  have  to  be  confirmed  in  order  to  confirm  L.  The  corresponding  clause 
rule  for  L  :~LX,L2 . L,  states  that,  if  the  initial  subgoal  is  T-»Z. ,  then  makeZ., . Lm  subgoals  in  suc¬ 

cession;  add  to  T  successively  the  literals  that  ate  needed  to  make  each  one  provable;  and  finally,  return 
T.  -*L  wtv  e  T.  contains  all  the  literals  needed  to  make  Lx . L„  provable. 

Sprfki  implements  the  natural  deduction  system  just  described.  Sprfn  exploits  Prolog  style  depth- 
first  iterative-deepening  search.  This  search  strategy  involves  repeatedly  performing  exhaustive  depth-first 
search  with  increasing  depth  bounds.  Fa  a  description  of  the  strategy,  see  [6].  This  search  strategy  is 


complete  and  can  be  efficiently  implemented  in  Prolog,  taking  advantage  of  Prolog’s  built-in  depth-first 
search  with  backtracking. 


3.  SPRFN  and  Term  Rewriting 
3.1.  Input  Format 

The  input  to  sprfb  is  formatted  in  Hom-like  clauses.  Given  a  set  S  of  clauses,  we  convert  them  into 
Hom-like  clauses  as  follows.  For  a  clause  containing  at  least  one  positive  literal,  we  select  one  such  literal 
to  be  the  head,  negate  the  remaining  literals,  and  move  them  to  the  body  of  the  clause.  For  an  all-negative 
clause,  we  use  false  as  the  head  of  the  clause  and  form  the  body  from  the  positive  literals  corresponding  to 
the  original  literals.  The  following  example  shows  how  to  translate  from  clause  form  into  the  format 
accepted  by  sprfn.  Notice  the  similarity  of  the  input  format  syntax  to  Prolog  program  syntax. 


Gause  Form 

P(x)vQ(x) 

~P(x)VR(x) 

~<2(.x)VR(x) 

~R(a) 


Input  Format  for  sprfh 


p(X):-not(q(X )) 


For  input  to  sprfn,  the  convention  is  that  a  name  starting  with  a  capital  letter  is  a  variable  name;  all 
other  names  are  predicate  names,  function  names  or  constants.  Not  and  false  are  reserved  for  negation  and 
for  the  head  of  the  top-level  goal,  respectively  . 


3.2.  The  Method  of  Proof 


K 


The  prover  attempts  to  prove  that  false  is  derivable  from  the  input  clauses.  For  example,  given  the 
following  set  of  clauses: 


p(X) not(q(X)) 
r(X):-p(X) 
r(X):-q(X) 
false  r(a) 


sprfn  will  derive  the  following  proof: 


false :-  cases( 

(not  q(a):  (r(a) (p(a) :-  not  q(a)))), 
(q(a):(r(a):-q(a))) 

) 


Thus,  false  can  be  proven  from  the  input  clauses.  For  there  are  two  cases  to  consider  (1)  Suppose  not  q(a) 
is  true;  then  we  can  derive  false  as  follows.  Since  we  are  given  that  false :-  r(a),  we  make  r(a)  our  subgoal. 
Now  we  can  derive  r(a)  if  we  can  prove  p(a),  since  we  are  given  r(X)  :-  p(X).  Meanwhile,  we  can  derive 
p(a)  if  we  can  prove  not  q(a),  since  we  are  given  p(X) not  q(X).  However,  we  are  assuming  not  q(a),  so 
this  subgoal  can  be  proven.  (2)  Suppose  q(a)  is  true;  then  we  can  derive  false  as  follows.  Once  again,  we 
make  r(a)  our  subgoal,  since  we  are  given  that  false  r(a).  Now  we  can  derive  r(a)  if  we  can  prove  q(a), 
since  we  are  given  r(X) :-  q(X).  But  we  are  assuming  q(a),  so  this  subgoal  can  be  proven. 
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3.3.  The  Term  Rewriting  Mechanism  in  SPRFN 


Replace.  An  assertion  of  the  form  replace(<exprl>,  <expr2>)  in  the  input  signifies  that  all  subgoals 
of  form  <exprl>  should  be  replaced  by  subgoals  of  the  form  <expr2>  before  attempting  to  solve  them. 
This  is  like  a  rewrite  applied  at  the  ‘top  level’.  This  is  sound  if  <exprl>  :•  <expr2>  is  valid. 


Rewrite.  An  assertion  of  the  form  rewrite(<exprl>,  <expr2>).  in  the  input  signifies  that  all  subex¬ 
pressions  of  form  <exprl>  should  be  replaced  by  subexpressions  of  the  form  <expr2>.  This  is  like  a 
rewrite  applied  anywhere,  not  just  at  the  top  level.  This  is  sound  if  the  logical  equivalence  <exprl>  <•> 
<expr2>  is  valid,  or,  in  case  when  the  expressions  are  terms,  if  the  equation  <exprl>  =  <expr2>  is  valid. 


In  our  experiments,  we  translated  the  axioms  of  von  Neumann-Bemays-Godel  set  theory  into  a  list 
of  rewrite  rules  and  then  attempted  to  derive  various  theorems  based  on  these  rules.  For  example,  consider 
the  axiom  for  Subset  below: 


(*x,y X-KQ’  <-»(Vu)[(u6X  -»«ey)]] 


This  would  be  translated  into  the  following  two  rewrite  rules,  which  would  be  given  as  input  to  the  proven 


rewrite(sub(X,Y),  or(not(el(fl7(X,Y),X)),  el(fl7(X,Y),Y))). 
rewrite(not(sub(X,Y)),  and(el(U,X),  not(el(U,Y)))). 


Several  points  deserve  mention.  First  of  all,  note  that  the  single  axiom  gives  rise  to  two  rewrite  rules 
-  a  "positive"  as  well  as  a  "negative"  rule.  This  is  to  preserve  soundness,  since  sprfn  performs  outermost 
term  rewriting.  The  presence  of  the  negative  rewrite  rule  insures  that  whenever  sprfn  rewrites  a  term  of 
the  form  sub{X,Y)  with  or(not(el(fl7(X,Y)J()),  el(fl7(X,Y),Y )))  (which  implies  that  sprof  is  using  the  posi¬ 
tive  rule)  we  know  that  this  term  does  not  appear  in  a  negative  context;  for  if  it  did,  the  prover  would 
already  have  rewritten  it  using  the  negative  rule. 
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We  should  also  point  out  what  may  seem  at  first  to  be  a  counter-intuitive  feature  of  these  rewrite 
rules.  Note  the  presence  of  the  skolem  function  f!7(X,Y)  in  the  positive  rewrite  rule  and  the  unbound  vari¬ 
able  U  in  the  negative  rule.  One  might  think  that  the  situation  should  be  reversed.  However,  the  correct¬ 
ness  of  this  procedure  can  be  seen  by  reflecting  upon  the  following.  Recall  that  sprfn  performs  subgoaling 
in  attempting  to  prove  false.  Thus  if  the  piover  is  attempting  to  prove  A,  let’s  say,  and  it  tries  to  do  this  by 
trying  to  prove  the  subgoal  B,  this  procedure  will  only  be  sound  if  it  is  the  case  that  B  -» A.  Our  rewrite 
rules  must  observe  this  fact  Hence,  if  we  are  trying  to  prove  A  and  we  attempt  to  do  so  by  rewriting  A 
with  B  and  then  trying  to  prove  the  subgoal  B,  it  must  be  the  case  that  B  ->  A .  Or,  to  put  the  matter  in  Pro¬ 
log  symbolism,  it  must  be  the  case  that  A  B.  When  we  skolemize  the  original  axiom,  we  see  that  the  fol¬ 
lowing  are  logical  consequences  of  the  skolemized  input  clauses: 

sub(X,Y) :-  or(not(el(fl7(X,Y),X)),  el(fl7(X,Y),Y)) 
not(sub(X,Y)) :-  and(el(U,X),  not(el(U,Y))) 

Thus,  we  must  express  our  two  rewrite  rules  as  given  above. 

For  further  details  concerning  the  term  rewriting  facility,  the  reader  should  consult  Appendix  A. 


4.  Term  Rewriting  with  a  Tautology  Checker 

In  our  first  experiment,  we  modified  sprfn  to  make  use  of  a  tautology  checker.  Suppose  that  we 
wish  to  prove  the  set  theoretic  theorem  T,  which,  in  accordance  with  the  procedure  outline  above,  has  been 
converted  into  the  top-level  goal:  "false  :-  X". 

If  the  flag  t_test  is  set,  then  the  prover  will  call  the  tautology  checker  tautology3(X,Y),  where  X  is 
the  input  theorem  (derived  from  the  top-level  goal  "false  :-  X”)  and  Y  is  the  output  consisting  of  the  non- 
tautologous  part  (if  any)  of  X.  If  X  is  a  tautology,  then  the  prover  will  halt;  else,  the  original  goal:  "false  :- 
X"  is  retracted  and  replaced  in  the  database  with  the  new  goal:  "false  :-  Y".  The  prover  then  proceeds  to 
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attempt  to  prove  "false"  by  means  of  the  subgoaling  method  described  above.  This  method  seems  to  work 
quite  well.  For  one  thing,  if  "X”  is  a  tautology,  the  tautology  checker  allows  the  prover  to  spot  this  fact 
much  sooner  than  if  it  had  attempted  to  achieve  its  top-level  goal  by  means  of  its  subgoaling  mechanism 
alone.  For  another,  we  have  found  that  when  "X"  is  not  a  tautology,  by  removing  the  tautologous  portion 
of  X  and  returning  "Y"  as  the  subgoal  to  be  proved,  we  save  the  prover  considerable  time  and  avoid  need¬ 
lessly  duplicated  effort 

Note:  tautology3(X,Y)  does  not  unify  variables  (thus  it  only  eliminates  a  disjunction  as  a  tautology  if 
some  literal  L  appears  both  negated  and  un-negated  in  the  clause). 

As  a  standard  practice,  we  have  included  the  axiom:  "or(X,Y)  :•  prolog(tautology(or(X,Y)))"  to  han¬ 
dle  cases  where  unifying  is  necessary  to  eliminate  tautologous  clauses.  This  allows  us  to  invoke  Prolog 
from  within  sprfn,  and  to  call  the  Prolog  predicate  tautology/1  which  succeeds  if  its  input  can  be  converted 
into  a  tautology  via  unification. 

Thus  backtracking  over  the  elimination  of  a  tautologous  clause  is  still  possible,  but  it  only  occurs 
with  respect  to  the  "or"  rewrite  rule.  This  seems  more  efficient  than  permitting  backtracking  into  the  tau- 
tology3  routine  itself  (which  would  be  required  if  we  allowed  unification  within  tautology 3). 

For  further  details  concerning  the  tautology  checker,  the  reader  is  referred  to  Appendix  B. 

We  now  exhibit  two  examples  of  the  prover  at  work,  utilizing  the  tautology  checker. 

4.1.  Example  1 

In  this  first  example,  we  show  how  the  tautology  checker  returns  the  non-tautologous  portion  of  its 
input  theorem,  which  is  then  proven  by  sprfh’s  subgoaling  mechanism. 

Proof  of  Difference  and  Join  Theorem 

Our  top-level  goal  is: 


false:-eq(diff(i,b)join(a,cofTip(b))) 


1 

I 

$ 


After  reading  in  the  input  clauses,  which  contain  our  set  theoretic  rewrite  rules  as  well  as  a  few  axioms,  the 
prover  begins  by  calling  our  tautology  checker 


l_lest  is  asserted 
b_only  is  asserted 
toh*kxi_size_muli(0. 1)  is  asserted 
proof_size_mult(0.4)  is  asserted 

calling(tautalogy3(eq(diff(a,b)  join(a,oomp(b)))w98 1 2)) 


after  removing  the  tautologous  portion  of  the  theorem,  tautology 3  returns  the  following: 


conjunct: 

m(fl7(diff(».b),comp(b))) 
not  el(f  1 7(diff(a,b),comp(b))ta) 
d(fl7(diff(a.b),comp(b)),b) 

Continue?:  yes. 


at  this  point,  the  tautology  checker  informs  the  user  that  it  has  a  conjunction  of  disjunctions  (in  this  case 
there  is  only  one  such  disjunction)  left,  which  it  could  not  eliminate  via  tautology  checking  alone.  It  asks 
the  user  if  he  wishes  to  proceed,  and  in  this  case,  we  answer  in  the  affirmative.  The  prover’s  subgoaling 


procedure  is  now  invoked,  and  in  a  short  time  sprfn  returns  with  the  following: 


proof  found 
false:-cases( 

(not  d(fl7(diff(a,b),ccmp(b)),a): 
(oKm(fl7(diff(a,b).comp(b))).ot(notd(fl7(diff(a,b),comp(b))^), 
d(fl7(difT(»,b),comp(b)),b))):-(of(notel(fl7(diff(i,b),comp(b)),«), 

d(fl7(diff(aJ>)Icomp(b)),b)):-nald(n7(diff(a,b),camp(b)),a)))). 

(d(fl7(diff(s,b),comp(b))4): 

(or(m(fl7(diff(a,b),camp(b))),or(notd(fl7(diff(i,b),ccmp(b)),a), 

d(fl7(diff(a,b),comp(b)),b))):-<m(fl7(diff(i,b),coinp(b)j:- 

d(fl7(diff(a,b),comp(b)),a))))) 


size  of  proof  7 


8.73  cpu  seconds  used 
3  inferences  done 


It  is  worth  pointing  out  that  by  using  the  term  rewriting  facility  without  invoking  the  tautology 
checker,  the  prover  was  able  to  derive  the  theorem  in  128.43  cpu  seconds  with  34  inferences.  We 
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attempted  to  prove  the  theorem  using  neither  the  tautology  checker  nor  rewrite  rules;  but  after  letting  the 
prover  run  for  over  two  hours  without  finding  the  proof,  we  put  it  out  of  its  misery. 

4.2.  Example  2 

In  this  second  example,  we  show  the  prover’s  term  rewriting  facility  in  action.  In  this  particular 
case,  the  tautology  checker  is  able  to  establish  that  the  entire  input  theorem  is  a  tautology;  hence  it  is 
unnecessary  to  invoke  sprfn’s  subgoaling  mechanism,  since  the  theorem  is  already  proven. 

Proof  of  Power  Set  Theorem 

Our  top-level  goal  is: 

false:-eq(p«ei(joiti(a,b))join(psei(a).psei(b))) 

After  reading  in  the  input  clauses,  which  contain  our  set  theoretic  rewrite  rules  as  well  as  a  few  axioms,  the 
prover  begins  by  calling  our  tautology  checker 

l_test  is  asserted 
b_only  is  asserted 
solution_size_irmlt(0.1)  is  asserted 
proof_size_mult(0.4)  is  asserted 

calling(tautology3(eq(pset(join(a,b))  Join(pset(a),psel(b)))l_98 1 8)) 


The  rewriting  mechanism  displays  the  results  of  its  outermost  term  rewriting  operation: 


rewrite(eq(ptet(join(a,b))join(pset(a),pset(b))),and(sub<piel(join(a,b)), 

join(paet(a),psel(b))),sub(join(pset(a),pset(b))1pset(join(a1b))))) 

rewrite(sub(pset(joiij(a,b))join(psei(a),ptel(b))),and(sub(peel(joui(a1b)), 
pset(  a)),sub(ptet(jom(a,b))lpset(b)))) 

rewrite(sub<pset(join(a,b))j>set(a)),or(notel(fl7(pset(join(a.b))4>set(a))t 

p»et(join(a.b))),el(fl7(pset(join(a,b)),pset(a)),paet(a)))) 

rewrite(not  el(f  1 7(psel(join(a,b)),pset(a)),pset(join(a,b)))1not  tub(fl  7  (paet( 
join(a,b))4>set(a))join(a,b))) 

rewnle(not  sub(n7(ptet(join(a,b)),ptet(a))  join(a,b)),or<rK*  «ub(fl7(psei( 
join(a,b)),ptet(a)),a),nottub(fl7(ptet{join(a,b)),pset(a)),b))) 

rewrite(el(fn(ptet(join(a,b)),pset(a))jjset(a)),sub(fl7(pset(join(a,bl, 

P»*t(a)),a)) 


fewriie(«ub(p»et(jom(t,b))4>*et(b)),or(notel(fl7(pMt(jom(«»)p*ei(b)), 

p»et(join(»,b))),el(fl7(p»et(join(»J>)),p«et(b)).p«el(b)))) 

rewrite(noi  el(f  17(pj«(join(a,b)),p*et(b))1j>*et(join(a  ,b))),not  iub(f  17(p<et( 
join(a,b)),p«et(b)),joiii(a,b))) 

rewriie(not  »ub(f  17(paet(join(a,b)),paet(b))  join(a,b)),or(nol  Jub(fl7(ptei( 
joui(a,b)),p«el(b)),a),n<*  iub(fl7(p»et(jou>(i,b))jJ«ci(b)),b))) 

rewriie(el(fl7(p»«(join(»,b))4>»et(b))4>«et(b))4ub(n7(piet0oin(*,b)), 

rcwrite(iub(join(p«et(a),pa«(b)),p«et(join(a,b))),or(nolel(fl7(joui(p««(a), 

p*et(b)),paet(join<a,b)))jom(p«et(t),p«el(b))),el(fl7(jotn(paet(a),p»et(b)), 

p«et(joiii(i,b))),p*ci(joui(»,b))))) 

re  wrile(nol  d(f  1 7(join(p*^a),p««(b)),p»et(join(a,b)))  join(ptet(a),pa«(b))), 
<x<n«  el(fl7(join(p*et(a).p««(b)),p»et(jom(a,b))),p*et(a))Inot  el(f  17( 
join(pret(i).pret(b)),p»et(join(i,b))).p»et(b)))) 

rewiile(no(  eI(fl7(join(p«et<i)4>tet(b))lptet(jom(i  ,b))),paet(a)),no<  iub(fl7( 
join(|»et(»).pret(b))4»et(join(»,b))).»)) 

rewrite(not  d(fl7(jain(piet(a)4>wt(b))jMet(join(t,b))).ptet(b))^iaC  <ub(fl7( 
jo*n(p«el(a)1pael(b)),paet(join(a,b))),b)) 

rewrite(el(fl7(jotn(p«et(i),p*et(b)),p«t(joii>(a,b))),p*el(jom(i,b))),jub(fl7( 

jotn(pret(«).prel(b)),prel(join(m^)))Join(»,b))) 

rewrire(«ub(fl7(join(p»et(»)4»et(b))1pfet<jom(a^))))join<»,b)).and(fub({17( 

joui(p«et(i),p«et(b)),p*et(joui(a,b))),i),iub(fl7(jom(p««(a),p»«(b)), 

P«ei(join(».b))),b))) 


At  this  point,  rewriting  has  been  completed;  the  procedure  cnfexpand  is  now  invoked  to  expand  the 
rewritten  theorem  into  conjunctive  normal  form  and  to  then  eliminate  all  tautologous  conjuncts. 


call(0,cnf jEXpaod(and(and(or<o(<iHX  «ub(fl7(p*et(jom(»,b))j>tei(«))4)^*ot  tub( 
fl7(pjeJ(join(a,b)).p«et(»)),b))^ub(n7(p»ei(join(i,b))4>tet(i))4j),or(or<noc 
«ub(f  1 7(paet(join(a,b)),pfel(b)),a),not  iub(f  17(piet(jom(>,b))  j>tet(b))»)4ub( 
f  1 7(paet(join(a,b)),ptet(b)),b))),or(or(noc  »ub(f  17(join(p«et(»),p*et(b)),p«et( 
join(a,b))),a)tnot  sub(n7(join(p«et(a),piet(b)),ptel(jo<n(a,b)))>b)),and(sub(fl7 
0oin(pwt(a)j>Ma(b))j>fel()oin(aJ>)))4)^ub(fl7(join(pKt<a)lpwt0>))jMet( 
join(a,b))).b))))_15815)) 


Initially,  when  cnf_expand  is  called,  its  output  argument  is  the  uninstantiated  Prolog  variable  _15815.  But 
when  it  returns,  this  output  argument  has  been  instantiated  to  the  empty  list,  signifying  that  no  non- 
tautologous  portion  of  the  theorem  remains: 


retull(0,cnf_expand(an<l(and(or(c*(not  «ub<fl7(prei(joiri(a,b)),p»et(i)),a),not  sub( 
f  1 7(p»et(join(a,b)),p«et(a)),b)),«ub(f  1 7(p»et(join(a,b))4>*a(a))^5,or(or(nol 
iub(n7(paet(joiii(a,b)),piet(b)),a),n<x  iub(n7(pi«(join(a,b)),p*e»(b)),b)),«u^ 
ft  7(ptet0ob>(a,b)),paet(b)),b))),air(or(not  <ub(f  1 7(join(paet(a),ptet(b)),paet( 
join(a,b))),a).not  iub(f  1 7(join<j>«et(i),p«et(b)),piet(joui(a,b))),b)),and(tub(fl7 
0om(pMt(a),pMt(b)),p*et(join(a,b))),a),sub(n7(joui(p«ei(a)Iptet(b)),pret( 


join(«.b))),b)))).0)) 

tautology 3  returns:  U_uutology 
tbeoretn_ii_s_uutology 


4.28  qxi  seconds  used 
0  inferences  done 


We  observed  two  very  important  things  while  running  these  tests.  First  of  all,  we  found  that  includ¬ 
ing  explicit  rewrite  rules  to  distribute  "or"  over  "and"  significantly  slowed  down  the  tautology  checker. 
(Fortunately,  the  cnf_expand  routine  is  able  to  test  for  tautologies  without  requiring  that  its  input  argument 
be  in  conjunctive  normal  form;  hence  employing  the  distribution  rules  is  not  needed.)  We  ran  tests  in 
which  these  distribution  rules  were  used  and  tests  in  which  they  were  not  The  results  are  contained  in 
Appendix  D. 

Secondly,  we  discovered  that  the  depth  to  which  term  rewriting  is  allowed  to  take  place  greatly 
affects  overall  performance.  For  example,  in  the  case  of  the  Power  Set  theorem  exhibited  above,  we  did 
not  include  in  our  input  the  rewrite  rules  for  the  Subset  axiom.  By  omitting  those  two  rules  (see  the  earlier 
section:  "The  Term  Rewriting  Mechanism  in  SPRFN”)  we  cause  the  prover  to  regard  terms  of  the  form 
"sub(X,Y)n  as  atomic  and  thus  it  does  not  rewrite  them.  In  this  way,  it  is  able  to  discover  that  the  entire 
theorem  is  a  tautology.  On  the  other  hand,  we  found  that  if  we  included  the  rewrite  rules  for  the  Subset 
axiom,  then  our  tautology  checker  was  no  longer  able  to  eliminate  the  entire  theorem  as  a  tautology; 
indeed,  it  returned  a  significantly  long  conjunction,  which  the  subgoaling  mechanism  then  had  to  prove. 
This  took  a  much  greater  amount  of  time.  (Cf.  Table  2.) 

For  a  complete  summary  of  our  test  results  using  the  tautology  checker,  the  reader  should  consult 
Appendix  D.  A  complete  listing  of  all  the  rewrite  rules  we  used  in  our  experiments  can  be  found  in  Appen¬ 
dix  C. 

5.  Term  Rewriting  with  a  Preprocessor 


In  our  second  experiment,  we  used  our  term  rewriting  facility  as  a  preprocessor.  We  discovered  in 
our  earlier  experiments  that,  as  a  general  rule,  the  more  complex  the  theorem,  the  greater  the  number  of 


terms  that  ultimately  result  from  rewriting  the  theorem.  In  fact,  we  found  that  for  certain  theorems,  such  as 
the  Composition  of  Homomorphisms  theorem  (see  below)  it  was  physically  impossible  to  use  the  tautology 
checker.  This  was  due  to  the  fact  that  one  term  was  being  rewritten  to  a  conjunction  (or  disjunction)  of 
several  other  terms,  each  of  which  was  itself  subject  to  being  rewritten  into  a  complex  of  several  terms  and 
so  on.  Thus,  nearly  exponential  growth  of  the  Prolog  structure  occurred  during  the  operation  of  the  rewrit¬ 
ing  facility.  This  eventually  caused  Prolog  to  run  out  of  stack  long  before  the  cnf_expand  subroutine  had  a 
chance  to  eliminate  any  tautologous  portion  of  the  theorem. 

We  decided,  therefore,  to  preprocess  the  theorem  by  reducing  the  size  of  the  term  that  appeared  as 
the  body  in  the  top-level  goal.  In  general,  our  approach  involved  skolemizing  the  negated  theorem  and 
then  using  the  rewriting  facility  to  produce  the  initial  set  of  input  clauses.  As  an  illustration  of  this  tech¬ 
nique,  we  present  the  following  proof  of  the  Composition  of  Homomorphisms  theorem.  We  should  point 
out  that  it  was  necessary  to  add  three  simple  axioms  in  order  to  derive  the  proof;  also,  it  was  necessary 
once  again  to  restrain  the  depth  to  which  rewriting  took  place. 

Proof  of  Composition  of  Homomorphisms  Theorem 
Our  theorem  is  the  following: 

(yxhljch2jcsljcs2jxs3,xf  \jtf2jtf  2i)[(Jiom(,xh\ju\jf  \jcs2jtf2)  a 

horn  (xh  2jc s  2jtf  2jcs  Ijfi))  -*  hom  ( compose  (xh  2jch  \)ju  \jif\jcs  Ijtf  3)] 

After  skolemizing  the  negation  of  the  theorem  we  have  three  clauses  to  be  rewritten: 
hom(ahl,asl,afl,as2,af2),  hom(ah2,as2,af2,as3,af3),  and  not(hom(compose(ah2,ah  l),asl  ,af  1  ,as3,af3)) . 
Based  on  these  clauses,  the  prover’s  term  rewriting  facility  produced  the  following  set  of  input  clauses: 

Clauses  derived  from  hom(ahl,asl,afl,as2,af2): 

eq(apply(ahl,a])ply(tfl,ord_paiKGl.G2)», 

*>ply(if2,ord_f»ij<*>ply(ih  1  ,G  1  )^pply(«h  1  ,G2)))) :  - 
el(Gl,ul),el(G2lul)- 
irupt(ahl,asl,u2). 


doted(u2,d2). 

clofed(«il,«fl). 


Clauses  derived  from  hom(ah2,as2,af2,as3raf3): 


eq(ipply(*h2,»pply(»f2,ord_pMi<G3,G4))), 
tpply(if3,ord_p»ir<«pply(*h2,G3),ipply(ih2,G4)))) :  ■ 
d(G3,ai2),  cl(G4,«j2). 
m*ps(ah2,as2,u3). 
do*ed(»s3,af3). 
closed(u2,af2). 


Clauses  derived  from  not(hom(compose(ah2,ahl),asl>afl,as3,af3)): 


d(*5;ul). 

ftlu:- 

«K*pply(ah2,«ppty(th  1  ,«pply(af  l,ord_p»ir<*S  j6)))), 
*f^ly(»/3,ord_p*ut'*pply(«A2,ippty(»h  1  ^J))^ppJy(«h2,«pply(th  1  46)))), 
mapa(compoie(ah2Tah  1  )ja  1  ,u3), 
doied(u3,af3), 
doied(ul,afl). 


Note  that  our  top-level  goal  has  become: 


fd*e 

eq(»pply(ih2^pply(»h  1  ,«pply(«n  .ord_p«ir<t5,g6)))), 

*PP*y(*f3  ,ord_pau<*pply(di2^pply  (»h  1 43))^ily(«h24W>Jy(«hl  *6)))>, 
map»(oompose(ah2^h  1  )m  1  ,tl3), 
doted(u3,af3), 
doted(ul4fl). 


In  addition  to  these  input  clauses,  we  added  three  axioms.  The  first  two  of  these  are  trivial  while  the  third, 
although  non-trivial,  can  be  derived  by  the  prover  in  24.63  cpu  seconds  after  13  inferences. 


Axioms  for  proof  of  homomorphism  theorem: 

e,(apply<XF13l).*>ply(XF232))  > 
eq(Sl,S3),  «,(.pply<XFl  33).«pply(XF23  2)). 

d(apply<XF.X)32) m«p«<XF3132),  d(X.St). 

nxp«(conipo«<X.Y).Sl  33) m**(Y3 1  32).m*»(X 3233). 


IS 


mmmmm 


Finally,  we  added  some  extra  rewrite  rules  which  serve  only  to  cut  down  on  the  size  of  data  structures  that 
result  from  term  rewriting. 


Rewrite  Rules  to  handle  large  terms: 


rewriie(f32(ah  1 .as 1  ,af  1  ,as2,af2)4  1 ). 
rcwrile(f33(ah  1  .as  1  ,if  1  ,u2jtS2)&2). 
rcwriie(f32(ah2,as2,af2,as3,af3)43). 
rewme(f33(ah2,as2,af2,as3  ^f3)  j4). 
rcwrite(f32(oompo*e(ah2,ah  1  )ju  1  ,af  1  ,as3.af3),g5). 
rewrile(n3(oompo»e(ah2,ah  l),asl,afl  ,as3,af3),g6). 
rewrite(apply(compose(XFl,XF2),S),apply(XFl , apply  (XF2.S))). 


Given  this  prepiocessed  input,  sprfn  is  able  to  derive  the  following  proof  of  the  theorem: 


proof  found 

false  :-lemma((eq(apply(ah2,appiy(ah  1  .apply  (afl  ,ord_p«ii<g5,g6)))), 
^jply(af3,ord_pair(apply(ah2,apply(ah  1  *5)). 
apply(ah2.apply<ah  1  ^6))))):-(D), 

(maps(ccsnpoae(ah2,ahl)Iasl,as3):- 

mapt(ahl,asl,as2), 

maps(ah2,as2,as3)), 

ckxed(ax34i3). 

doxed(axl4fl). 

size  of  proof  18 

30.2333  cpu  seconds  used 

14  inferences  done 


Note  that  the  proof  involves  a  lemma,  which  sprfn  derived  in  the  course  of  its  operation.  If  we  so  desire, 
we  can  ask  the  prover  to  show  us  how  it  came  up  with  this  lemma.  When  we  do  so,  it  responds  with  the 
following  derivation: 


proof  of  lemma: 

false:-(eq(apply(ah2>apply(ah  1 .applyfaf  1  .ord_ptir(g5,j6)))), 
apply(if3,ord_pair(appiy(ah2,appiy<ih  1  45)), 
apply(ah2,apply(ah  1 46))))):- 

lemma((eq(apply(ah  1  .applyfafl  ,ord_paii<|5  46))), 

spply(af2,ord_pair<spply(ah  1 45).apj3y<ah  1  .j6)))):-{])), 

(eq(apply(ah2, apply  (sf2,ord_pair(apply(ih  1 45),apply  (ah  1 ,16)))) 
appty(af3,ord_pair(apply(ah2.apply<ah  1 45)). 
apply(ah2,apply(ah  1 46))))):- 
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lcmra»((el(Vply(»hU5)^2):-Q)). 
(el(*pply(»hl  &6)ju2):- 

map*(ah  1  ,*»  1  ,ts2),el(g6,u  1 )))). 

size  of  proof  11 

26.9166  cpu  seconds  used 
13  inferences  done 


6.  Summary  of  Results  and  Some  Outstanding  Problems 

The  techniques  we  employed  allowed  us  to  prove  moderately  sophisticated  set  theoretic  theorems  in 
rapid  time  with  few  inferences.  These  theorems  would  have  been  much  more  difficult  to  derive  without  the 
rewrite  rules;  indeed,  sprfn  was  unable  to  derive  some  of  them  when  run  without  the  rewrite  rules. 
Undoubtedly  it  would  have  been  beyond  the  power  of  a  typical  resolution  theorem  prover  to  derive  most  of 
the  theorems  in  question. 

We  have  found  that  removing  the  tautologous  portion  of  a  theorem  by  means  of  some  filter  such  as 
our  tautology  checker  seems  to  speed  up  the  derivation  lime,  by  allowing  the  prover  to  focus  its  attention 
on  the  non-tautologous  aspects  of  the  theorem.  Furthermore,  we  discovered  that  the  depth  to  which  term 
rewriting  is  allowed  greatly  effects  the  prover’s  ability  to  arrive  at  a  proof.  Clearly,  more  work  needs  to  be 
done  in  this  area.  At  the  present  time,  human  intervention  is  required  to  adjust  term  rewriting  depth;  hope¬ 
fully  this  can  be  automated  to  some  extent  in  the  future. 

Our  research  leads  us  to  conclude  that  preprocessing  input  clauses  by  means  of  rewrite  rules  is  also 
highly  effective  in  directing  a  theorem  prover’s  attention  towards  a  fast,  relatively  short  proof.  Although 
this  kind  of  preprocessing  is  presently  being  done  by  hand,  we  are  confident  that  it  can  be  fully  automated. 

Finally,  among  the  practical  results  that  we  obtained,  it  bears  mentioning  that  it  pays  to  avoid  distri¬ 
buting  "or"  over  "and"  by  means  of  rewrite  rules. 


17 


At  the  same  time,  we  discovered  that  there  are  limits  to  the  power  of  term  rewriting  in  connection 
with  proving  theorems  from  set  theory.  For  one  thing,  we  found  that  the  sizes  of  clauses  grows  almost 
exponentially  when  terms  are  rewritten  by  terms  which  are  themselves  subject  to  being  rewritten,  and  so 
forth.  Although  this  problem  has  no  affect  on  soundess,  the  physical  limitations  of  the  computer  itself 
come  into  play  at  this  point,  causing  the  prover  to  run  out  of  stack  before  it  can  complete  its  rewriting 
phase. 

We  also  realize  that  our  procedure  is  not  complete,  if  rewriting  takes  place  at  the  wrong  time.  For 
example,  suppose  we  have  the  rewrite  rule:  B  ->>  P(x)  and  we  wish  to  demonstrate  that  the  following 
theorem  is  a  tautology: 

B  v(-P(fl)A-P(fe» 

If  we  rewrite  B  before  we  distribute  "or"  over  "and”,  we  have: 

P(x)v(-P(a)A~p(b)) 

from  which  we  can  only  derive: 

<P(x)v-P(a))A(P(,)v-p(b)) 

and  this  is  not  tautologous  no  matter  how  we  instantiate  the  variable  x.  Yet  if  we  distribute  "or”  over  "and" 
before  rewriting  B,  we  have: 

(B  v-P (a )) A (B  v-P(h)) 

from  which  we  can  derive  the  tautology: 

(P(x)V-P(a))A(P(y)V-P(h)) 

since  Prolog  will  provide  a  different  variable  each  time  it  replaces  B  with  P(x). 


This  raises  the  following  questions:  Is  term  replacement  more  complete  than  term  rewriting?  How 
complete  is  term  replacement  for  existentially  quantified  variables?  Is  replacement  equivalent  to  delayed 
term  rewriting?  More  work  needs  to  be  done  before  we  are  in  a  position  to  answer  these  questions. 

Finally,  the  approaches  to  term  rewriting  that  we  explored  are  not  effective  when  trying  to  prove 
theorems  that  require  creative  insight.  For  example,  in  one  of  our  experiments  we  tried  to  deduce  Cantor’s 
Theorem  using  our  rewrite  rules.  However,  we  discovered  that  sprfn  was  unable  to  find  the  proof  without 
being  given  quite  a  bit  of  non-trivial  information.  Specifically,  we  had  to  provide  it  with  axioms  implying 

(1)  that  any  function  induces  its  own  diagonal  set  and  (2)  that  the  relation  which  pairs  a  unit  set  with  its  sin¬ 
gle  element  is  a  one -one  function.  Once  these  axioms  were  supplied,  by  making  use  of  our  rewrite  rules 
the  prover  was  able  to  derive  Cantor’s  Theorem  in  33.65  cpu  seconds  with  12  inferences.  Nevertheless, 
one  would  like  the  prover  to  be  able  to  realize  on  its  own  that  such  sets  and  functions  exist  Yet  recogniz¬ 
ing  that  there  is  such  a  thing  as  the  diagonal  of  a  function  and  that  such  a  set  might  be  useful  in  this  case 

N 

requires  a  kind  of  insight  that  goes  far  beyond  syntactic  manipulations.  Unfortunately,  term  rewriting  alone 
does  not  provide  the  necessary  machinery  for  the  prover  to  possess  this  kind  of  creative  insight 
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Appendix  A 


Code  for  Routines  that  Perform  Top  Level  Replacement  and  General  Rewriting 

replace_rewrite(X,Y,YN) 

(replacements  ->  replace(X,Xl,XNl), 

((rewrites, +  (.chaining)  ->  rewrite(Xl,Y,XNl,XN2) ; 

XN2  =  XN1  ,  Y  =  XI)  ; 

((rewrites,  +  f_chaining)  ->  rewrite(X,Y,XN2) ; 

(Y  =  X  ,  copy(Y,XN2)))), 

(Y  =  XN2  ->  YN  s  Y  ; 

(copy(Y,YN), 

numbervars(YN,0,_))),!. 


replace(X,Z,ZN)  %  X  is  input,  Z  output,  ZN  possible  ground  instance 
copy(X,XN), 

(X  ==  XN  ->  %  ground  term 

replace(X,Z,XN,ZN) ; 

(numbervars(XN,0,J, 

replace(X,Z,XN,ZN))). 

replace(X,Z,XN,ZN) 

replacel(X,Y,XN,YN), !, 
replace(Y,Z,YN,ZN)> 
pprint(replace(X,Z)). 

replace(X,X,XN,XN). 

replace  1  (L,M,LN,MN) %  do  one  step  replacing  at  top  level 
(L  =  LN  ->  %  like  rewrite  1  below 

(replace_rule(L,M),  copy(M,MN)) ; 

(copy(LNJLNC), 

(LN  =  LNC  ->  %  ground  instance 
(clause(replacejrule(LN,MN),true,Ref), 
clause(replace_rule(L,M),true,Ref)) ; 

(copy(LJLC), 
numbervars(LC,0,J, 
clause(replace_rule(LC,MN),tnie  ,Ref), 
clause(replace_rule(L,M),true,Ref))))). 

%  In  rewrite(L,M,LN,MN),  L  is  input  term,  M  is  rewritten  term, 

%  LN  is  possibly  ground  instance  of  L,  MN  is  possibly  ground 
%  instance  of  M. 

rewrite  1(L,M,LN,MN) %  do  one  step  rewriting  at  top  level 
(L  =  LN  ->  %  ground  term 

(rewrite_rule(L,M),  copy(M,MN)) ; 

(copy(LN,LNC), 

(LN  =  LNC  ->  %  ground  instance 
(clause(rewrite_rule(LN,MN),true,Ref), 
clause(rewrite_rule(L,M),truejlef)) ; 

(copy(L,LC), 
numbervars(LC,0,J, 
clause(rewrite_rule(LC,MN)  ,true,Ref) , 


clause(rewrite_rule(L,M),true,Ref))))). 


rewrite_filter(X,X) var(X),!.  %  can’t  rewrite  a  variable 

%  rewrite_filter(and(X,Y),and(X,Y)) !.  %  don’t  rewrite  a  conjunction, 

%  wait  and  rewrite  subgoals  separately 

rewrite_filter(X,X) 

+  top_connective(X), 
copy(X,Y), 

irreducible(Y), !.  %  if  irreducible,  stop. 

rewrite(X,Y,YN) 

rewrite_filter(X,Y), !. 

rewrite(X,Y,YN)  %  add  third  argument,  numberv ars’d 

copy(X,XN),  %  term 

(X  =  XN  ->  %  ground  term 

rewriteO(X,Y,XN.YN)  ; 

(numbcrvars(XN,0,_), 

rcwnteO(X,YrXN,YN))). 


rewrite(X,Y,XN,YN) 

rcwrite_filter(X,Y),!,XN  =  YN. 


rewrite(X,Y,XN,YN) 

rewriteO(X,Y,XN,YN). 


rewriteO(X,Z,XNIZN)  :•  %  do  outermost  rewriting 

rewrite  1(X,Y,XN,YN),!, 

pprint(rewrite(X,Y)), 
rewrite(Y  ,Z,YN,ZN). 


rcwriteO(X,Z,XNrZN)  %  reduce  subterms,  assert 

rewrite_args(X,Y .XN.YN),! ,  %  irreducible  if  so 

(X  =  Y  ->  rewrite2(Y  AYNZN)  ; 

(Y  =  Z, 

(top_connective(Y)  ->  true ; 

(copy(Y,W),  numbervars(W,0,_), 
passert(uTeducible(W)))))) . 


rewrite2(X,Z,XN,ZN)  %  do  one  rewrite  at  top  level 

rewritel(X,Y,XN,YN),!,  %  then  innermost  rewriting 


pprint(rewrite(X,Y)), 

rewrite(Y,Z,YN,ZN). 


rcwrite2(X,X.XN,XN) 

(top_connective(X)  ->  true ; 
(copy(X,W), 
numbervars(W,0,_), 
passert(irreducible(W)))). 


%  assert  irreducible  term 


22 


Appendix  B 


Code  for  Tautology  Checker 


%  X  is  input  formula;  after  rewrite  rules  have  been  applied  and 
%  tautologous  clauses  have  been  removed,  Y  is  returned  as  the 
%  non-tautologous  remainder  (if  any) 
tautology3(X,Y)  :- 
pprint(calling(tautology3(X,Y))), 
replace_rewrite(X,Xl,_),  %  apply  rewrite  rules  to  X 
asserta(cnf_cnt(0)), 

cnf_expand(Xl,X2),  %  remove  tautologous  portion  of  X 

retract(cnf_cntO) . 

descend_sort(X2,X3), 

remove_subsumed(X3,X4),  %  remove  subsumed  conjuncts 
reformulate(X4,Y),  %  reformulate  back  to  CNF 
taut_print(X4).  %  print  non-tautologous  remainder 


cnf_expand(and(X,Y)2)  !, 
cnf_count(N), 

pprint(caIl(N,  cnf_expand(and(X,Y),  Z))), 
cnf_expand(XZl).  %  expand  each  conjunct 

cnf_expand(Y  22), 
append(Z1222), 

pprint(result(N,cnf_expand(and(X,Y),  Z))). 

cnf_expand(or(X,Y)2) !, 
cnf_count(N), 

pprint(call(N,cnf_expand(or(X,  Y)2)) ), 
cnf_expand(X21),  %  expand  each  disjunct 

cnf_expand(Y  22), 

list_non_tauts(Z1222),  %  Z  is  non-tautologous  remainder 
pprint(result(N,cnf_expand(or(X,Y),  Z))). 

cnf_expand(X2)  :* 
cnf_count(N), 

Z  =  [X], 

pprint(call(N  ,cnf_expand(X  2)))  • 


%  make  a  list  (Z)  of  all  the  non-tautologous  clauses  that  can  be  formed 
%  from  the  two  input  lists 
list_non_tauts({ZlHIZlT]222) 
list_non_tautsl(ZlH22,Ll), 
list_non_tauts(ZlT22vL2), 
append(L \\J2J). 

list_non_tauts([]^,[l). 


list_non_tautsl(ZlH,(Z2HlZ2T]2) 
make_clause(Z  1  H22H.C), 
taut_clause(Q,  %  check  if  C  is  a  tautologous  clause 


•  C**  •*'_»* 'ffc  9*  ,»s 


list_non_tauts  1  (Z 1 H  JZ2T  JL2), 

Z  =  L2. 

list_non_tautsl(ZlH,[Z2HIZ2T]tZ) : 
make_clause(Z  1  H,Z2H,C), 
list_non_tautsl(ZlH,Z2T,L2), 
append([C],L2Z). 


list_non_tauts  .□)• 


%  C  is  a  taut_clause  iff  C  contains  Y  and  not(Z)  where  Y  ==  Z 
taut_clause(Q 
append(L,  [XIT],  Q, 
negate(X,Y), 
memq(Y,T). 
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Appendix  C 


Axioms  and  Rewrite  Rules  Based  on  von  Neumann-Bernays-Go  del  Set  Theory 


7.  Standard  Rewrites  for  Logical  Connectives 

rewrite(if(X,then(Y)),  or(not(X),Y)). 
rewrite(not(or(X,Y)),and(not(X),not(Y))). 
re  write(not(and(X ,  Y))  ,or(not(X)  ,not(Y ))) . 
rewrite(not(not(X)),X). 

rewrite(or(X,and(Y  ,Z)),and(or(X,Y),or(X,Z))). 
rewrite(or(and(X,Y)^)tand(or(X2),or(Y  JZ))). 
or(X,Y) prolog(tautology(or(X,Y))). 
or(X,Y)  X. 
or(X,Y) Y. 
and(X,Y) X,Y. 
rewrite(l_and([X]),  X). 
rewrite(l_and([X,YIT]),  and(X4_and([YIT]))). 
rewrite(not(l_and([X])),  not(X». 

rewrite(not(l_and([X,YIT])),  or(not(X)jiot(l_and([Yrr])))). 
rewrite(l_or([X]),  X). 
rewrite(l_or([X,YIT]),  or(X4_or([YIT]))). 
rewrite(not(l_or([X])),  not(X)). 
rewrite(not(l_or([X,YIT])),  and(not(X),not(l_or([Ym)))). 


8.  Axioms  and  Basic  Definitions 

Axiom  A-l  little  sets  are  sets  (ommitted  because  ail  objects  are  sets) 


Axiom  A-2  elements  of  sets  are  little  sets 
(VxoOUey  ->m(x)J 

m(X) el(X,Y). 


Axiom  A-3  principle  of  extensionality 
(v*0')[(v“)['n(“)  ->(«€*  <-»uey)] -»x=y] 

rewrite(eq(X,Y),  and(sub(X,Y),  sub(Y,X))). 

rewrite(not(eq(X,Y)),  or(not(sub(X,Y)),  not(sub(Y,X)))). 

rewrite(meq(X,Y)4_and([m(X),m(Y),eq(X,Y)])). 

rewrite(not(meq(X,Yj)4_or([not(m(jO)^ot(m(Y))(not(eqCX,Y))])). 

rewrite(eq(set(X)^et(Y))jneq(X,Y)). 

rewrite(not(eq(set(X),set(Y)))  ,not(meq(X,Y))). 

rewrite(eq(set(X),set(Y  ,Z))4_and(  [meq(X,Y)^neq(X2)jneq(Y  ,Z)])). 

rewrite(not(eq(set(X),set(Y,Z)))4_or([not(meq(XlY)),not(meq(X,Z)),not(meq(YtZ))])). 

rewrite(eq(set(X,Y)>set(Z)),eq(set(Z),set(X,Y))). 

rewrite(not(eq(set(X,Y),set(Z))),not(eq(sei(Z),set(X,Y)))). 

rewriie(eq(sei(X,Y),sei(WZ)),or(and(meq(X,W)jneq(YZ))rand(meq(XZ),meq(Y,W)))). 
re  write(not(eq(set(X,  Y),set(W,Z)) )  ,and(or(not(meq(X  ,W)),not(meq(Y  £))), 


or(not(meq(X  ,Z)),not(meq(Y,  W)))» . 
rewrite(eq(ord_pair(X,Y),ordj3air(W2))^nd(meq(X,W),meq(Y^))). 
rewrite(not(eq(OTd_pair(X,Y),ord_pair(W2))),or(not(meq(X.W))^ot(meq(Y>Z)))). 


V 

S' 


Axiom  A -4  existence  of  nonordered  pair 
yu*j)[ue{xy}  <-»[m(u)A(a=z  vu=y)] 

(?xj)[m({x,y})] 

rewrite(elCU,set(X,Y)),  and(m(U),  or(eq(U,X),eq(U,Y))». 
rewrite(not(el(U,set(X,Y))),  or(not(m(U)),  and(not(eq(U,X)),not(eq(U,Y))))). 


vJ 


Definition  of  singleton  set 
Vx)[{x}={xjc}} 

eq(set(X),  set(X^Q). 


Definition  of  ordered  pair 
O'*  o>  )[<x  o’  >={{*  },{x  ,y}}] 

eq(ord_pair(X,Y),  set(set(X),  set(X,Y))). 
m(ord _pair(X,Y)). 


Definition  of  opp  (ordered  pair  predicate) 

O'*  )[opp  (x )  <->  (3y  j  )[m  O' )  a  m  (z)  a  x=<y  j  >]] 

rewrite(opp(X),  l_and([m(Y),  m(Z),  eq(X,  ord_pair(Y,Z))])). 
re write(not(opp(X)) ,  l_or([not(m(f2(X))),  not(m(f3(X»), 
not(eq(X,  ord_pair(f2(X)/3(X))))])). 
opp(ord_pair(X,Y)). 


Axiom  of  first 

O'*  jc )  [z  e  first  (x  )  m  (z )  a  (3h , v )  [m  (« )  A  m  ( v )  A  x = <  u , v  >  A  z  e  u  ]  ] 


rewrite(first(ord_pair(X,Y)),X). 
rewrite(el(first(ord_pair(X,Y))2),el(X^)). 
rewrite(not(el(first(ordjpair(X,Y))(Z))  ,not(el(X  Z))). 

rewrite(el(Z,  first(X)),  l_and([m(Z),  m(U),  m(V),  eq(X,  ord_pair(U,V)),  el(Z,U)])). 
rewrite(not(el(Z,  first(X))),  l_or([not(m(Z)),  not(m(f4(Z,X))),  not(m(f5(Z,X))), 
not(eq(X,  ord_pair(f4(Z,X),f5(Z,X)))),  not(el(Z,f4(Z,X)))])). 


Axiom  of  second 

(Vz  JC  )[z  €  second  (x )  «-»  m  (z )  a  t v  )[m  (u )  A  m  ( v )  a  x = < u  ,v  >  a  r  e  v  ]] 


rewrite(second(ord_pair(X,Y)),Y). 

rewrite(el(second(ord_pair(X,Y))2),el(Y^)). 

rewrite(not(el(second(ord_pair(X,Y))Z))^ot(el(Y2))). 

rewrite(el(Z,  second(X)),  l_and([m(Z),  m(U),  m(V),  eq(X,  ord_pair(U,V)),  ei(Z,V)])). 
rewrite(not(el(Z,  second(X))),  l_or([not(m(Z)),  not(m(f6(Z,X))),  not(m(f7(Z,X))), 
not(eq(X,  ord_pair(f6(Z,X),f7<Z,X)))),  not(el(Z/7(Z^)))]». 
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Axiom  B-l  estin  (element  relation) 

(Vz  )[z  e  estin  <->  m(z)  A  opp  (z )  A  first  (z  )€  second  (z )] 

rewrite(el(Z,  estin),  l_and([m(Z),  opp(Z),  el(first(Z),  second(Z))))). 
rewrite(not(el(Z,  estin)),  l_or([not(m(Z)),  not(opp(Z)),  not(el(first(Z),  second(Z)))])). 


Axiom  B-2  intersection 
(yzjc,y)[ze(xny)*->m(z)hzex  Azey] 

rewrite(el(Z,  join(X,Y)),  and(el(Z,X),  el(Z,Y))). 
rewrite(not(el(Z,  join(X,Y))),  or(not(el(Z,X)),  not(el(Z,Y)))). 


Axiom  B-3  complement 
(Vz^c)[ze~x  Hm(z)Aztfi) 

rewrite(el(Z,  comp(X)),  and(m(Z),  not(el(Z,  X)))). 
rewrite(not(el(Z,  comp(X))),  or(not(m(Z)),  el(Z,  X))). 


Definition  of  union 
(vx  ,y  )[x  uy  =~(~x  n~y )] 

rewrite(el(Z,  union(X,Y)),  and(m(Z),  or(el(ZJO,  el(Z,Y)))). 
rewrite(not(el(Z,  union(X,Y))),  or(not(m(Z)),  and(not(el(Z,X)),  not(el(Z,Y))))). 
rewrite(el(Z,  union(X,Y)),  or(el(Z,X),  el(Z,Y))). 
rewrite(not(el(Z,  union(X,Y))),  and(not(el(Z,X)),  not(el(Z,Y)))). 


Axiom  B-4  domain 

(Vz  ,x)[z e domain  (x)  <-»  m(z)  A  (3>p )[m (xp )  A  opp (xp)  *xpex  Az  (zp )] 

rewrite(el(Z,  domain(X)),  l_and([m(Z),  m(XP),  opp(XP),  el(XP,X),  eq(Z,  first(XP))])). 
rewrite(not(el(Z,  domain(X))),  l_oi([not(m(Z)),  not(m(18(Z,X))),not(opp(f8(Z,X))), 
not(el(f8(Z,X)  JO),  not(eq(Z,  first(f8(Z,X))))])). 


Axiom  B-5  cross  product 

(Vz^,)i)[2exx)i  <-»  m  (z )  A  opp  (z )  A  first  (z  )e  x  A  second  (z  )e  y  ] 

rewrite(el(ord_pair(X,Y),prod(WZ))^nd(el(X,W),el(YZ))). 
rewrite(not(el(ord_pair(X,Y),prod(WZ))).or(not(el(X,W))jiot(el(YZ)))). 
rewrite(el(Z,prod(X,Y)),  l_and([m(Z),  opp(Z),  el(first(Z),X),  el(second(Z),Y)])). 
rewrite(not(el(Z,prod(X,Y))),  l_or([not(m(Z)),  not(opp(Z)),  not(el(first(Z)JQ), 
not(el(second(Z),Y))])). 


Axiom  B-6  converse 

(Vz  jc  )[z  6  converse  (x  )  m  (z  )  A  opp  (z  )  A  <second  (z )  Jirjf  (z  )>€  x ) 

rewrite(converse(ident),ident). 

rewrite(el(Z,converse(X)),  l_and([m(Z),  opp(Z),  el(ord_pair(second(Z),first(Z)),X)))). 
rewrite(not(el(Z,converse(X))),  l_or([not(m(Z)),  not(opp(Z)), 
not(el(ord_pair(second(Z),first(Z))  JO)] )). 


Axiom  B-7  rotale_right 

(Vz  jt)[z e  rotate jight (x)  «->  m (z )  A  (Ei<  >v ,w )[m (u )  A  m  (v )  a  m (w )  a 

Z=<U,<V,W»  A<v ,<W,«»6l]] 

rewrite(el(Z,  rotate_right(X)),  l_and([m(Z),  m(U),  m(V),  m(W), 

eq(Z,ord_pair(U,  ord_pair(V,W))),  el(ord_pair(V  ,ord_pair(W,U)),  X)])). 
rewrite(not(el(Z,  rotate_right(X))),  l_or([not(m(Z)),  not(m(f9(Z,X))), 
not(m(flO(Z,X))),  not(m(fl 

not(eq(Z,ord_pair(f9(Z,X),ord_pair<flO(Z,X)/l  1(Z,X))))), 
not(el(ord_pair(flO(Z,X),ord_pair(fl  l(Z,X),f9(Z,X))),  X))])). 


Axiom  B-8  flip_range 

(Vz  jc  )[z  6  flipjange  (x )  <->  m  (z )  a  (3u  ,v  ,w  )[m  («  )  A  m  (v  )  a  m  (w )  A 
z=<u,<v ,w»  A  <«,<w,v»ez]] 

rewrite(el(Z,flip_range(X)),  l_and([m(Z),  m(U),  m(V),  m(W), 

eq(Z,  ord_pair(U,oid_pair(V,W))),  el(ord_pair(U1ord_pair(W,V))^0])). 
rewrite(not(el(Z,flip_range(X))),  l_or([not(m(Z)),  not(m(fl2(Z,X))),  not(m(fl3(Z,X»), 
not(m(fl4(ZtX))),  not(eq(Z,  ord_pair(fl2(Z^),OTd_pair(fl3(Z,X)^14(Z,X))))), 
not(el(ord_pair(fl2(Z,X),ord_pair(fl4(Z^:).fl3(Z^0))^0)])). 


Definition  of  successor 
(Vx  )[  succ  (x  y=x  u{x  }] 

rewrite(succ(X),  union(X,set(X))). 


Definition  of  0  (empty  set) 
(Vz  )[z  4  0] 

m(0). 

not(el(Z,0)). 


Definition  of  V  (universal  set) 

(Vz  )[z  e  V  *-*m(z )] 

rewrite(el(Z,universe),  m(Z)). 
rewrite(not(el(Z,universe)),  not(m(Z))). 


Axiom  C-l  infinity 

(3y)[m(y)A0ey  A(Vjc)[xey  -> j«cc(x)ey]] 

m(f!5). 

el(0,fl5). 

el(succ(X),  fl 5) el(X,fl5). 


Axiom  C-2  sigma  (union  of  elements) 

(Vz  ,x)[z€sigma(x)4->m(z)  A(3y)[m(y)  *yex  Azey]] 

(V«  )[m  ( u)-*m  ( sigma  ( u ))] 

rewrite(el(Zf  sigma(X)),  l_and([m(Z),  m(Y),  el(Y,X),  el(Z,Y)])). 
rewrite(not(el(Z,  sigma(X))),  l_or([not(m(Z)),  not(m(fl6(Z,X))), 
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replace(sub(XtY),  or(not(el(fl7(X,Y).X)).  el(fl7(X,Y),Y»). 
replace(not(sub(X,Y)),  and(eI(U,X)1  not(el(U,Y)))). 

sub(X,Z) sub(X,Y)Isub(Y,Z). 


Specialized  subset  rewrite  rules 

rewrite(sub(set(X),set(Y))  4neq(X,Y )). 
rewrite(not(sub(set(X),set(Y)))jiot(meq(X,Y))). 
rewrite(sub(set(X),set(Y  ,Z)),or(meq(X,Y),meq(X,Z))). 
rewrite(not(sub(set(X),set(Y2))),and(not(meq(X,Y))^ot(meq(XZ))))- 
rewrite(sub(set(X,Y),set(Z)),and(meq(X,Z),meq(Y  2))). 
rewrite(not(sub(set(X,Y),set(Z))),or(not(meq(X,Z)),nat(meq(Y,Z)))). 
rewrits(sub(set(X,Y)^et(W2))1or(and(meq(XIW)jmeq(Y Z)),  and(meq(X,Z),meq(Y,W)))). 
rewrite(not(sub(set(X,  Y),set(W  Z)))  3Hd(or(not(ineq(X,W)),not(meq(Y  Z))) , 
or(not(eq(X.Z))>not(eq(Y,W)))) ). 

rewrite(sub(X,pset(Y)),  or(not(el(fl7(X,pset(Y)),X)),  el(fl7(X,pset(Y)),pset(Y)))). 
rewrite(not(sub(X,pset(Y))),  and(el(U,X),  not(sub(U,Y)»). 
rewrite(sub(X  join(Y Z)),  and(sub(X,Y),sub(X,Z))). 
rewrite(not(sub(X  join(Y Z))).  or(noi(sub(X,Y)),not(sub(X,Z))))- 
rewrite(sub(prod(X,Y),prod(W  ,Z)),and(sub(X,W),sub(Y  Z)))- 
rewrite(not(sub(prod(X,Y),prod(W2))).or(not(sub(X,W))>nol(sub(Y2)))). 


I1' 

£ 

I 

I 


I 

£ 


Axiom  C-3  power  set 

(Vz  jc  )[z  €  pset  (x )  <-»  m  (z  )  a  z  ex  3 

(Vu)[m(u)  ->  m  (pset  ( u  )] 

rewrite(el(Z,  pset(X)),  sub(Z,X)). 
rewrite(not(el(Z,  pset(X))),  not(sub(Z,X))). 

m(psel(U)) m(U). 


Definition  of  relation 

(Vz)[re/tuion(z)«-»(Vx)[m(x)  -»(x€z  ->opp(x))]] 

rewrite(relation(Z),  l_oK(not(el(fl8(Z)2)),  opp(fl8(Z))]». 
rewrite(not(relation(Z)),  l_and([el(X,Z),  not(opp(X))])). 


it 


Definition  of  sing_val  (single  valued  set) 

(Vx)[jing_va/(jt)«-»(Vu,v,w)[m(u)Aw(v)  Am(w)  -»(<«,v>€x  A  <u,w>ex  -*  v=w)]] 


rewrite(sing_val(X),  l_or((not(el(ord_pair(fl9(X),f20(X»^0), 
noKel(ordjMir(fl9(X)/21(X)),X)).eq(f20(X).f21(X))l)). 


V.V,' 
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rewrite(not(sing_val(X)),  l_and(lel(ord_pair(U,V),X),  el(ord_paii(U,W),X), 
not(eq(V,W))])). 


Definition  of  function 

(*xf  ){f unction  (xf)*-*  relation  (xf)^  singval  {xf )] 

rewrite(function(XF) ,  and(relation(XF),  sing_val(XF))). 
rewrite(not(function(XF)),  or(not(relation(XF)),  not(sing_val(XF)))). 
rewrite(funcuon(converse(XF)),if(and(el(oni_pair(g4(XF)1g5(XF)),XF), 
el(g6(XF)^5(XF))),then(eq(g4(XF)^6{XF))))). 
rewrite(not(function(converse(XF))),or(awl(el(X,XF),not(opp(X))), 
l_and([el(ord_pair(X,Y)^CF),d(ord_pair(Z,Y)(XF),not(eq(X2))]))). 


Axiom  C-4  image  and  substitution 

<*z  jcyf)[zeimagelx  jcf)  m(z) *($y)[m(y)  *opp(y)  *yexf  a 
first  (y  )e  x  A  second  (y)=z ]] 

(Vx  jtf  )[m  ( x )  A  function  ( image  (x  yf ))] 

rewrite(el(Z,  image(X,XF)),  l_and([m(Z),  m(Y),  oppOO.  el(Y,XF), 
el(first(Y),X),  eq(second(Y)7)])). 

rewrite(not(el(Z,  image(X,XF))),  l_or<[not(m(Z)),  not(m(f22(Z>X,XF,))), 
not(opp(f22(Z.X,XF))),  not(el(f22(Z,X,XF),XF)), 
not(el(first(f22(ZXXF)).X)),  not(eq(second(f22(Z,X,XF»7))])). 

m(image(X,XF)) m(X),  function(XF). 


Definition  of  disjoint 

(vx  ,y  )[dis joint  (x  ,y )  <-»  (Vu  )[m  (u )  -»  u  4  x  V  u  4  y  )]J 

rewrite(disjoint(X,Y),  or(not(el(f23(X,Y),X)),  not(el(f23{X,Y),Y)))). 
rewrite(not(disjoint(X,Y)),  and(el(U,X).  el(U,Y»). 


Definition  of  set  difference 
(Vx,y,z)[xey-z  «xe>  Axdz] 

rewrite(el(X,diff(Y 7)).  and(el(X,Y),not(el(X7)))). 
rewrite(not(el(X,diff(Y  7))).  or(not(el(X ,  Y))  ,el(X  7))) . 


Axiom  D  regularity 

<Yx)(x*0  ->  (3u  )[m  (u )  A  u  €  x  a  disjoint  (u,x)]] 

el(f24(X)7) not(eq(X,0)). 
disjoint(f24(X)7) not(eq(X,0)). 


Axiom  E  choice 

(3u  )(/uncflon  (u )  a  (Vx )[m  (x )  A  x  4) (3y  )[m (y )  A  y  g  x  A  <x  ,y  >€  u  ]] 
function(f25). 

el(f26(X)7) m(X),  not(eq(X,0)). 
el(ord_pair(X,f26(X)),f25) m(X),  not(eq(X,0)). 


9.  More  Set  Theory  Deflations 


Definition  of  range 

(Vz  jc)[ze  range  (x) «-» m(z)  A(Ekp)[m(xp) *opp(xp)  *xpex  *z=second(xp)]] 

rewrite(el(Z,range(X)),Land(  [m(Z)  ,m(XP),opp(XP),el(XP,X),eq(Z,second(XP))] )). 
rewrite(not(el(Z,range(X))),l_or([not(m(Z)),not(m(f27(Z,X))),not(opp(f27(Z,X))), 
not(el(f27®X),X)),not(eq(Z,second(f27(Z®)))])). 


Definition  of  identity  relation 

(Vz  )[z  €  idem  «-»  m  (z )  a  opp  (z )  a  first  (z  )=second  (z )] 

rewrite(el(ord_paii(X,  Y)4dent),eq(  X,Y)). 
rewrite(not(el(ord _pair(X,Y)jdem)),noi(eq(X,Y))). 
rewrite(el(Z4dent),l_and([opp{Z),eq(firsi(Z),second(Z))])). 
rewrite(not(el(Z4dent)),l_or([not(opp(Z)) ,  not(eq(first(Z), second®))])). 


Definition  of  restrict  (V  is  universal  set) 

(*x  ,y  )[restrict  (x  j  )=*  n(y  xY)] 

rewrite(restrict(XtY)join(X,prod(Y,universe))). 


Definition  of  one_one  (one-to-one  function) 

(yxf  )[one_one  function  {xf )  A  function  ( converse  {xf  ))] 

re  write(one_one(XF)fand(function(XF)/unc  tion(converse(XF)))). 
rewrite(not(one_one(XF)).or(not(function(XF)),not(function(converse(XF))))). 


Definition  of  apply 

(Vz  jf  ,y)[zeapply(jtf  ,y)  ++  m(z)  *Ow)[m{w)*opp{w)Awetf  a 
first  (w  )=y  A  z  e  second  (w )]] 

rewrite(el(Z3Pply(XF,Y))4_and([m(Z),ni(W),opp(W).el(W^F),eq(fijrst(W),Y), 

el(Z,second(W))])). 

rewrite(not(eI(Z,appIy(XF,Y)))J_or([not(m®),not(rn(f'28(ZrXF,Y))), 
not(opp(f28(Z.XF.Y))).  not(el(f28(Z,XF,Y),XF)), 
not(eq(first(f28(Z,XF,Y)),Y)),  not(el(Z,second(f28(Z,XF,Y))))])). 


Definition  of  app2 

(VV  J  O'  )[opp  20/  jc  ,y  y=apply  (xf,<x,y>)] 
rewrite(app2(XF,X,  Y)  .apply  (XF,ord_pair(X ,  Y) )) . 


Definition  of  maps 

(fxf  jc  ,y  )[maps  {xf  jc  j ) «-»  function  {xf )  a  domain  {xf  )=x  a  range  {xf  )q>  ] 

rewrite(maps(XF,X,Y),l_and([function(XF),eq(domain(XF),X)^ub(range(XF),Y)])). 

rewrite(not(maps(XF,X,Y)),l_or((not(function(XF)),not(eq(domain(XF),X)), 

not(sub(range(XF),Y))])). 


Definition  of  closed 

(Vxs  xf  )[closed  (xsjf)*->m(xs)*m(xf)*  maps  Of  xsxxs  xs)] 

rewrite(closed(XS,XF)>Land([m(XS),m(XF),maps(XF,prod(XS.XS),XS)])). 
rewrite(not(closed(XS,XF)),l_or([not(m(XS)),not(m(XF)),  not(maps(XF,prod(XS,XS),XS))])). 


Definition  of  composition 

(Vz  xf  xg )[z  e  xg  Of  «->  m  (z )  a  0c  ,y  .h<  )[m  (x )  a  m  (y )  a  m  (w )  A 
z=<x,y>  a  <x,w>exf  A<w,y>exg]] 

rewrite(el(Z,compose(XG,XF))4_and([m(Z)4n(X)jn(Y),m(W),eq(Z,ord_pair(X,Y)), 
el(ordj>air(X,W),XF),el(ord_pair(W,Y),XG)])). 
rewrite(not(el(Z,compose(XG,XF)))J_or([not(m(Z))^iot(m(f29(Z,XFXG))), 
no«m(G0(Z,XF,XG))),not(m(f3 1  (ZXFXG))), 
not(eq(Z,ord_pair(f29(Z,XFXG).f30(Z^F1XG)))), 
not(el(ord_pair(f29(Z,XF^G),01(Z^F,XG))^F)), 
not(el(ord_pair(G  1  (Z,XF,XG),f30(Z,XF,XG))XG ))])). 


Definition  of  homomorphism 

(yxh  xslxf  l  xs  2jc f  2 )[hom  (xhxsljf  \xs2xf2)*r*  closed  (xs  1  xf  1)  A  closed  (xs  2  xf  2)  a 
maps{xhjcs\jcs2)  A(Vx,y)[(xexjl  Ayexsl)  — » 
apply  (xh  app  2(xf  Ijc  j  ))=app  2(xf  2 Apply  (xh  x  )* pply  (xh  o» ))]] 

rewrite(hom(XH,XS  1  ^CFl,XS2^F2).l_and([closed(XS  1  ,XFl),closed(XS2,XF2). 
maps(XH,XS  1  ,XS2),if(and(el(02(XH,XS  1  ,XF1  XS2,XF2)XS  1), 
el(G3(XH,XSl  ,XF1  ,XS2,XF2),XS  1)), 

then(eq(apply(XH,app2(XFl  /32(XH,XS  1  ,XF1  XS2XF2),G3(XH,XS  1.XF1.XS2.XF2))). 
app2(XF2^pply(XH/32(XHXS  1  ,XF1  .XS2.XF2)), 
apply(XH.G3(XH,XS  1.XF1.XS2.XF2))))))])). 
rewrite(not(hom(XH,XS  1  .XFl  ,XS2.XF2)),l_or([not(closed(XS  1  ,XFl))t 
not(closed(XS2,XF2)), 

not(maps(XH,XS  l,XS2)),and(and<el(X,XS  l),el(Y,XS  1)), 
not(eq(apply(XH,app2(XFl,X,Y)),app2(XF2,apply(XH,X)>*pply(XH,Y)))))])). 


Definition  of  "equinumerosity" 

(vx  ,y  )[x  »y )  ♦-»  0^  )[one  one  (xf )  a  domain  ( xf  )=x  a  range  (xf  )=y  ]] 

rewrite(equinum(X,Y).Land([one_one(XF),eq(domain(XF)X).eq(range(XF),Y)])). 
rewrite(not(equinum(X,  Y)),l_or([not(one_one(  g  1  (X,  Y))),  not(eq(domain(g  1  (X,  Y)),X)), 
not(eq(range(g  1  (X,Y)),  Y))])) . 


Definition  of  "less  than  or  equal  to" 

(vx,y)[x<=y  <-»(3z)[rcy  Ax-z]] 

rewrite(less_eq(X,  Y),and(sub(Z,  Y),equinum(X  7))). 
rewrite(not(less_eq(X,Y)),or(not(sub(Z,Y)),not(equinum(X,Z)))). 
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Appendix  D 


Test  Results  Using  a  Tautology  Checker 


Table  1 


IOHC 

isiie 

I31IE 

■31IE 

■51IE 

■Sill: 

follE 

folIC 

■3IIE 

BB1IC 

mmm 

PB1IE 

fSSIE 


III  I  II  I  "  M 


universe),!) 


unionfa.O 


T51 


unicn(a.univene).univene 


PB1IE 


1311 

Ireiii 

Ihbiii 

FD1I 

IlSDlll 

IIE51II 
I  FBI  1 1 
|I31I 
|i3ii 

Ifuii 

I  Foil 
|I31I| 
1 153111 
1 13111 


gB5S»5g«B) . 

m  KB??®TTOi 
BEBgEEggBMBagBBBggg 

BEtSBMS35JGHSB!BlES53JS 

msmsss&smsnBtm^m 


unicn(a.imivene).univerw' 


in(a,unian 
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■  if(disjoint(a.b),then 
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false if 
false if(and(m(a 
(38)  1 1  false if(and(m(a),m(b)),  «hen(eq(set(a,b),set(b,a)))). 


c.d)).then 


Note  that  theorems  (31)  and  (32)  are  the  same.  However,  (31)  was  proven  using  a  rewrite  rule  for  the  sub¬ 
set  axiom,  while  (32)  was  proven  using  a  replace  rule  for  the  subset  axiom.  Using  a  replace  rather  than  a 
rewrite  rule  prevented  terms  containing  the  "subset"  predicate  from  being  rewritten  before  tautology  check¬ 
ing  was  performed.  This  allowed  the  prover  to  find  the  proof  much  faster  in  the  case  of  this  particular 
theorem. 
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Theorem 

_ (1) 


Table  2 


With  "or-over-md" 
Diitribmion  Rule» 
Time  I  Inierencei 


Without  "or-over-end" 
Distribution  Ruk» 
Tune  I  Inferences 


4.18 

0 

4.14 

1.66 

0 

1.61 

1.68 

0 

1.76 

5.93 

4 

5.31 

5.96 

6 

5.85 

3.66 

4 

3.5 

2.7 

2 

2.68 

5.73 

4 

4.86 

2.91 

2 

2.53 

4.53 

4 

4.46 

4.73 

4 

4.33 

2.76 

2 

2.73 

9.68 

0 

5.51 

10.88 

0 

10.88 

7.48 

4 

4.91 

10.86 

0 

6.64 

18.1 

0 

5.94 

9.34 

0 

5.33 

10.11 

5 

8.73 

4.66 

4 

4.53 

20.55 

0 

8.44 

19.88 

0 

7.73 

1.26 

2 

1.18 

12.26 

8 

9.63 

3.76 

4 

3.21 

18.36 

14 

15.85 

0.81 

0 

0.78 

0.78 

0 

0.84 

40.76 

16 

24.04 

217.96 

32 

189.38 

4.83 

0 

4.28 

3.38 

o  ! 

3.11 

63.55 

32 

34.63 

15.96 

0 

4.93 

69.11 

23 

37.78 

67.21 

0 

4.25 

109.00 

0 

8.84 

These  results  were  derived  by  using  a  tautology -checker  in  conjunction  with  rewrite/replace  rules. 

SUMMARY:  In  each  case,  the  number  of  inferences  required  is  virtually  the  same  whether  or  not  the  "or- 
over-and"  distribution  rules  are  used.  However,  in  almost  every  instance  there  is  a  speed-up  when  these 
rules  are  not  used.  Furthermore,  as  a  general  rule  it  seems  that  as  the  amount  of  time  required  to  prove  the 
theorem  increases,  the  greater  the  speed-up  when  the  "or-over-and'  rules  are  not  used. 


